Malicious computer content has been rampant for over two decades now. Malicious content generally comes in the form of executable code that performs adverse operations, such as modifying a computer's operating system or file system, damaging a computer's hardware or hardware interfaces, or automatically transmitting data from one computer to another. Generally, malicious content is generated by hackers willfully, in order to exploit computer vulnerabilities. However, malicious content can also arise by accident, due to bugs in software applications.
Generally malicious content is transmitted as executable code inserted into files or into web pages. Originally, as each new malicious content was discovered, a signature of the content was collected by computer security companies and used from then on to detect the malicious content and protect computers against it. Users would routinely scan their file systems using computer security software, which regularly updated its signature database as new malicious content was discovered.
Such signature-based protection is referred to as “reactive”, since it can only protect in reaction to malicious content that has already been discovered.
Two generic types of computer security applications that are currently available to protect against malicious content are (i) gateway security applications, and (ii) desktop security applications. Gateway security applications shield against malicious content before the content is delivered to its intended destination client computer. Gateway security applications scan content, and block the content from reaching the destination client computer if the content is deemed by the security application to be potentially malicious.
In distinction, desktop security applications are local applications that shield against malicious content after the content reaches its intended destination client computer. Desktop security applications may use conventional reactive protection to scan incoming content for the present of known signatures. Desktop security applications may also monitor content during run-time by monitoring requests made to an operating system, as described hereinbelow.
In addition to reactive security applications, which are based on databases of known malicious content signatures, recently “proactive” security applications have been developed. Proactive protection uses a methodology known as “behavioral analysis” to analyze computer content for the presence of malicious content. Behavior analysis is used to automatically scan and parse executable content, in order to detect which computer operations the content may perform. As such, behavioral analysis can block unknown malicious content that has not been previously detected and which does not have a signature on record, hence the name “proactive”.
Assignee's U.S. Pat. No. 6,092,194 entitled SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES, the contents of which are hereby incorporated by reference, describes gateway level behavioral analysis. Such behavioral analysis scans and parses content received at a gateway and generates a security profile for the content. A security profile is a general list or delineation of suspicious, or potentially malicious, operations that executable content may perform. The derived security profile is then compared against a security policy for the computer being protected, to determine whether or not the content's security profile violates the computer's security policy. A security policy is a general set of simple or complex rules, that may be applied logically in series or in parallel, which determine whether or not a specific operation is permitted or forbidden to be performed by the content on the computer being protected. Security policies are generally configurable, and set by an administrator of the computers that are being protected.
Assignee's U.S. Pat. No. 6,167,520 entitled SYSTEM AND METHOD FOR PROTECTING A CLIENT DURING RUNTIME FROM HOSTILE DOWNLOADABLES, the contents of which are hereby incorporated by reference, describes desktop level behavioral analysis. Desktop level behavioral analysis is generally implemented during run-time, while executable content is running on a client desktop computer. As the content is being processed, desktop security applications monitor calls made to critical systems of the client computer, such as the operating system, the file system and the network system. Desktop security applications use hooks to intercept calls made to operating system functions. Based on a predefined security policy, behavioral-based desktop security applications allow or block an operating system call made by content during run-time, depending on whether or not the call violates the security policy. Calls to WriteFile( ) and DeleteFile( ), for example, may violate the security policy, and thus be blocked.
Each of the various computer protection technologies, gateway vs. desktop, reactive vs. proactive, has its pros and cons. Reactive protection is computationally simple and fast; proactive protection is computationally intensive and slower. Reactive protection cannot protect against new “first-time” malicious content, and cannot protect a user if his signature file is out of date; proactive protection can protect against new “first-time” malicious content and do not require regular downloading of updated signature files. Gateway level protection keeps malicious content at a greater distance from a local network of computers. Desktop level protection is more accurate, since it runs on the same computer as the suspicious content. Desktop level protection is risky in that if a malicious request is missed, due to incomplete functionality or due to a software bug in the protection system, the consequences may be severe since the malicious content is already running on the client desktop computer. Desktop level protection is generally available in the consumer market for hackers to obtain, and is susceptible to reverse engineering; gateway level protection is not generally available to hackers.
Reference is now made to FIG. 1, which is a simplified block diagram of prior art systems for blocking malicious content, as described hereinabove. The topmost system shown in FIG. 1 illustrates a gateway level security application. The middle system shown in FIG. 1 illustrates a desktop level security application, and the bottom system shown in FIG. 1 illustrates a combined gateway+desktop level security application.
The topmost system shown in FIG. 1 includes a gateway computer 105 that receives content from the Internet, the content intended for delivery to a client computer 110. Gateway computer 105 receives the content over a communication channel 120, and gateway computer 105 communicates with client computer 110 over a communication channel 125. Gateway computer 105 includes a gateway receiver 135 and a gateway transmitter 140. Client computer 110 includes a client receiver 145. Client computer 110 generally also has a client transmitter, which is not shown.
Client computer 110 includes a content processor 170, such as a conventional CPU, which processes content and typically renders it for interactive viewing on a display monitor. Such content may be in the form of executable code, JavaScript, VBScript, PerScript, Java applets and ActiveX controls.
Gateway computer 105 includes a content inspector 174 which may be reactive or proactive, or a combination of reactive and proactive. Incoming content is analyzed by content inspector 174 before being transmitted to client computer 110. If incoming content is deemed to be malicious, then gateway computer 105 preferably prevents the content from reaching client computer 110. Alternatively, gateway computer 105 may modify the content so as to render it harmless, and subsequently transmit the modified content to client computer 110.
Content inspector 174 can be used to inspect incoming content, on its way to client computer 110 as its destination, and also to inspect outgoing content, being sent from client computer 110 as its origin.
The middle system shown in FIG. 1 includes a gateway computer 105 and a client computer 110, the client computer 110 including a content inspector 176. Content inspector 176 may be a conventional signature-based security application, or a run-time behavioral based application that monitors run-time calls invoked by executing content to operating system, file system and network system functions.
The bottom system shown in FIG. 1 includes both a content inspector 174 at gateway computer 105, and a content inspector 176 at client computer 110. Such a system can support conventional gateway level protection, desktop level protection, reactive protection and proactive protection.
A drawback of the systems shown in FIG. 1 is that content inspector 174 is unable to inspect content that is illegible; such as encrypted content, scrambled content or compressed content. Both signature based security and behavior-based security methods cannot be applied to illegible content. When such content is received, inspector 174 either blocks the content, which may in fact be harmless, or allows the content, which may in fact be malicious. Blocking of harmless content defeats productivity, and allowing of malicious content may lead to severe damage.
Conventional digital rights management systems generally secure content by making it illegible, and such content generally cannot be scanned by inspector 174, unless the content's license restrictions or authentication logic are defeated. Thus it may be appreciated by those skilled in the art that digital rights management relies on technology that inherently prevents gateway security software from being able to inspect content. For example, malicious content, such as malicious music files and video files, may be processed by a digital rights management application, and pass through a gateway screening undetected.
Therefore there is a need for security applications that are able to protect against illegible content, such as content protected by digital rights management, that is generally, encrypted, scrambled or compressed.